• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed

Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed

  • Posted on:April 15, 2014 at 10:21 am
  • Posted in:Mobile, Vulnerabilities
  • Author:
    Veo Zhang (Mobile Threats Analyst)
1

In an earlier blog post, we mentioned that mobile apps are also affected by the Heartbleed vulnerability. This is because mobile apps may connect to servers affected by the bug. However, it appears that mobile apps themselves could be vulnerable because of a bundled OpenSSL library.

OpenSSL Library Present in Android 4.1.1 and Certain Mobile Apps

We have information that although the buggy OpenSSL is integrated with the Android system, only the Android 4.1.1 version is affected by Heartbleed vulnerability. For devices with that version, any app installed with OpenSSL which is then used to establish SSL/TLS connections is possibly affected and can be compromised to get user information from the device memory.

However, even if your device is not using the affected version, there is still the matter of the apps themselves. We have found 273 in Google Play which are bundled with the standalone affected OpenSSL library, which means those apps can be compromised in any device.

In this list, we see last year’s most popular games, some VPN clients, a security app, a popular video player, an instant message app, a VOIP phone app and many others. As you may well know, the OpenSSL library is used by apps for secure communications. Lots of apps are from top developers. We also found the vulnerability in the older versions of Google’s apps.

140415comment02

Figure 1. Apps vulnerable to Heartbleed include those that are highly popular

These apps statically link to the vulnerable OpenSSL library as shown below:

140415comment03

140415comment04

Figure 2. Vulnerable OpenSSL Library

A reverse client-side Heartbleed attack is possible if the remote servers those apps connect to are compromised. A reverse Heartbleed can of course also expose user device memory to a cybercriminal. The memory may contain any sensitive information stored in these apps locally. If you use a vulnerable VPN client or VOIP app to connect to an evil service, you may lose your private key or other credential information, then the hacker may forge your identity and do other bad things from there.

We advise the app developer to hasten the speed to upgrade the OpenSSL library, and publish them to end-users. For general users, you need to be aware of the fact that your clients are able to leak information, no matter how secure the remote server is, or the good reputation or trustworthiness of the app developer. You should also update your apps as soon as a fix is made available. Google is currently distributing patching information for the affected Android version—you should also check if an update is made available for your device.

We will also be creating a tool very soon to check if your apps are vulnerable.

An Update on Apps Connecting to Servers Vulnerable to Heartbleed

After we disclosed about the mobile apps connecting to vulnerable servers, we continued to monitor them. We have seen up to 7,000 apps at the time of monitoring that are connecting to Heartbleed-vulnerable servers, while in our latest verification, around 6,000 apps are still affected. Let’s see what types of mobile apps they are:

Hearbleed Chart

Figure 3. Distribution of Mobile Apps Vulnerable to Heartbleed, by Category

For discussion purposes, we highlight only the app categories that we consider possibly sensitive in that they may store users’ private information on the server, which means users may be leaking information by using these apps. We see that a large portion of these kinds of apps are Lifestyle apps. These apps include anything from ordering food, grocery items, equipment, reading books, couponing, clothing, furniture, etc. This also means that if a user for instance orders food or supplies through one of these affected apps, information about their order, including user credentials, their home address—or worse, their credit card information—can be leaked.

Note that we have informed Google about this issue.

For other posts discussing the Heartbleed bug, check these other posts:

  • Trend Micro Heartbleed Detector Now Available
  • Heartbleed Bug—Mobile Apps are Affected Too
  • Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M
  • Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidandroid 4.1.1androidOSappsHeartbleedjellybeanlifestyle appsMobileOpenSSLSSLtsl

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2018

  • Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.
    Read our security predictions for 2018.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant
  • XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
  • XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails
  • Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner
  • Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware

Popular Posts

  • New MacOS Backdoor Linked to OceanLotus Found
  • Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure
  • ChessMaster Adds Updated Tools to Its Arsenal
  • Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner
  • Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.